CyberWire Daily - Facebook’s latest takedowns reach Pakistan, Russia, and the US. Election meddling. Chinese espionage looks inward, again. New alt-coin stealer. NZX DDoS update. That Twitter hack.
Episode Date: September 2, 2020Facebook’s August takedowns included coordinated inauthenticity from Pakistan, Russia (that’s St. Petersburg, with a waystation in DC), and a US strategic communication firm. CISA and the FBI say ...nope, the Russians weren’t in voter databases. A Chinese APT turns its attention from Europe back to Tibet. A new cryptocurrency stealer is active in Central Europe. New Zealand DDoS attacks may be an extortion attempt. Joe Carrigan has the story of a reporter's stolen Facebook account. Our guest is Ophir Harpaz from Guardicore Labs with their Botnet Encyclopedia. And there may be another teenage mastermind behind last month’s Twitter hack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/171 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook's August takedowns included coordinated inauthenticity from Pakistan, Russia, and a U.S. strategic communication firm.
CISA and the FBI say, nope, the Russians weren't in voter databases.
A Chinese APT turns its attention from Europe back to Tibet.
A new cryptocurrency stealer is active in Central Europe.
New Zealand's DDoS attacks may be an extortion attempt.
Joe Kerrigan has the story of a reporter's stolen Facebook account.
Our guest is Ophir Harpaz from Guardacore Labs with their Botnet Encyclopedia.
And there may be another teenage mastermind behind last month's Twitter hack.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, September 2nd, 2020.
During August, Facebook took down three networks for engaging in coordinated inauthentic behavior,
that is, organized disinformation.
The activity broke down as follows.
435 accounts, 103 pages, 78 groups, and 107 Instagram accounts run from Pakistan were removed.
They sought influence in both Pakistan
and India. The Stanford Internet Observatory characterizes these as aiming to counter
criticism of either Islam or Pakistan's government. Thirteen accounts and two pages
operated from Russia were taken down. Facebook said these were linked to individuals associated
with past activity in the Russian Internet Research Agency. This activity was directed mostly against the U.S., the U.K., Algeria,
and Egypt, with plenty of QAnon and COVID-19 chatter. Grafica says much of the network's
activity involved redirection to Peace Data, which represents itself as a progressive
independent news service. Peace Data, it's only
fair to say, has reacted with outrage, shocked and appalled by what they call the ugly lie that
they're a Russian propaganda tool. Facebook took action against these networks on the strength of
a tip-off from the FBI. 55 accounts, 42 pages, and 96 Instagram accounts linked to the Washington-based communications firm CLS Strategies were removed.
This network devoted itself to Venezuela, with some attention also paid to Mexico and Bolivia.
BuzzFeed reports that CLS Strategies didn't respond directly to a question about coordinated inauthenticity, beyond briefly stating a version of its corporate mission.
The line the accounts took were, in Venezuela, pro-opposition, in Bolivia, pro-regime,
and in Mexico, anti-Moreña, a leftist political party. Facebook did note that CLS as a whole
wasn't banned, since much of the firm's activity was legitimate. It's not yet known on behalf of what clients CLS may have been working.
To return to peace data,
the New York Times notes that the Internet Research Agency
may have succeeded in making an American connection.
According to the Times,
the Russians succeeded in getting actual Americans to write for peace data,
which would account for the relatively good idiomatic control
on display in its posts. The Times says the Internet Research Agency posted offers for
freelance writers on a job board. The Times also says it spoke to one such freelancer who was
steered to Peace Data by an IRA job board. The writer asked to remain anonymous because he didn't
wish his professional reputation damaged by his having been duped by the Russian government.
He was paid $75 a post, which, relatively speaking, is chicken feed in the freelance market.
So in this case, the Russians appear to have made use of the usefully gullible,
what the Russian organs less politely call the gavnoyed,
the content on Peace Data's site,
which the Times believes to have been designed
to harm the candidacy of Democratic nominee Joe Biden
by fomenting dispute within what might otherwise
be a more disciplined left,
contains complaint that the Democrats
are insufficiently progressive on various issues
and denunciation of alleged Republican closeness
to unsavory far-right elements.
When President Trump appears on Peace Data's pages,
it's with horns, hooves, and a tail, metaphorically speaking.
So if the Times is right, it's a relatively sophisticated propaganda gambit.
Of course, Peace Data could just be the progressive site it claims to be,
but it might be a front, too.
could just be the progressive side it claims to be,
but it might be a front, too.
Chatter about Russian compromise of U.S. voter databases has come to nothing.
CISA and the FBI haven't seen anything of the kind during this election cycle.
If you look at the Twitter comments in the agency's thread,
you'll find many skeptical one-liners,
but we think CISA and the Bureau have got this one right.
Yesterday's flurry of tweets linking back to a Russian newspaper article seemed to be much ado about some matters of public record. Researchers at Proofpoint report that Chinese
government threat group TA413, which earlier deployed sepulture malware against European
targets, is now using it in a spearfishing campaign
directed at the Tibetan diaspora. This, Proofpoint thinks, represents a realignment of Chinese cyber
espionage assets from Western targets of opportunity and urgency, the COVID-19 pandemic through to the
fore, and back to more traditional targeting of domestic, the PRC holds to be unreliable and undesirable, like, of course, Tibetans.
The recent wave of distributed denial-of-service attacks against targets in New Zealand,
most prominently those against the NZX Stock Exchange,
may have been part of an extortion campaign.
Stuff reports that Government Communications Security Bureau Minister Andrew Little
said that the GCSB is investigating emails received by victims
shortly before the attacks that demanded a Bitcoin payoff.
If there was no payment, the attackers would render the victims' networks unavailable.
Beyond that, GCSB hasn't said much.
The investigation continues.
The mastermind of the July 15 Twitter hack The investigation continues. interest to the investigators, and this person of interest is of even more tender years. The New
York Times reports that the FBI has served a Massachusetts teenager with a search warrant
and tossed his parents home. The parents themselves aren't suspects, but their son,
who quite properly lives with them, is. The warrant and other documents are under seal,
and the teenager has not been charged. The New York Times declines to name
the young man on account of his youth, but they do cite sources that told them the youth of interest
may have been at least partly responsible for planning the breach and carrying out some of
its most sensitive and complicated elements. So instead of one mastermind, the Twitter hack may
in fact have had two.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
The folks at GardaCore Labs recently launched a botnet encyclopedia, which they describe as a
universal knowledge base of past and present botnet campaigns researched by the lab's team.
Ophir Harpaz is a security researcher at GuardiCore Labs. So GuardiCore has a special network of sensors
deployed worldwide and each one of these sensors is able to capture cyber attacks and record
every single event that takes place in these attacks. And since we have
this very unique database of mass scale attacks, we decided that we would like to share it with
the security community so that both security researchers, threat analysts, and defenders can take a look at the data and maybe incorporate the data into their
policies and defensive mechanisms, and maybe to expand the research themselves. I mean,
we have all this data and we thought, why keep it for ourselves? That's basically the main motivation.
So you put together Guardacore's botnet Encyclopedia. Can you give us
some examples or what are the types of things that people can expect to find in here?
So we mostly see mass scale attacks. These are opportunistic attacks that aim at a very,
very high number of servers worldwide. And we mostly see denial of service attacks,
servers worldwide. And we mostly see denial of service attacks, distributed denial of service,
DDoS, and crypto mining attacks. But from time to time, we also see very interesting attacks in technical terms or in terms of the scope that the attack campaign reaches. So we can find both
Mirai-like campaigns that we're all very familiar with and used to, but from time to time we see more unique type of attacks. So we can find both in the encyclopedia.
when it comes to botnet from the research that you're doing, having a very close look at these sorts of things. Is this something that we're getting a handle on or are we staying even with
the task or are they gaining ground on us? I think it's a kind of, well, I'm not the first
to say it, but it's kind of a cat and mouse game. So attackers are definitely becoming more sophisticated. I can say that for sure. I'm
looking into these attacks. They are very talented software developers. Many of them know what they
do and why they do it. But on the other hand, we're also becoming smarter. We're monitoring
their malicious activity and we're improving our security measures accordingly.
So I can't really say that we're getting ahead of them all the time, but it's kind of a, you know,
one step on their end and then we're making one step to achieve their pace.
That's Ophir Harpaz from Guardicore Labs.
That's Ophir Harpaz from Guardicore Labs.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story came by.
This is from WHEC, which is a television station in Rochester, New York,
from one of their reporters named Deanna Dewberry.
And she ran into some interesting
trouble with her Facebook page. What's going on here, Joe? That's right. She has a professional
Facebook page that she maintains on Facebook, of course, and has over 11,000 followers and 10,000
people who like the page. And at one point in time, recently, her Facebook page has been hijacked.
And it looks like this was a pretty good social engineering attack that they targeted Deanna.
She got a notification message telling her that she had violated Facebook's community standards
and that her account could be disabled, right? Which is a
typical fear tactic that social engineers use to get you to short circuit your thinking.
And then was essentially phished for her credentials. So following the advice of these
fraudsters, they'd already gotten her attention. She is prompted to enter her username and password and then change her
password. And then one prompt asks for her ID, which made her suspicious, but she researched
it. And according to Facebook's help section, they will ask for your ID when there's suspicious
activity. Now, I don't know about you, Dave, but if Facebook is actually asking me for my driver's license, that's it.
I'm not going to give Facebook my driver's license, period.
Fair enough.
I don't have a publicly facing Facebook presence for Joe Kerrigan from JHU.
That's just not how I roll.
I do that on Twitter, but not on Facebook.
I had one friend who said to Facebook, no, I'm not going to give you my ID. I've been on Facebook for 10 years. I use a pseudonym and I like using a pseudonym.
And if you don't like that, then we can terminate our relationship right now. And this person is
still on Facebook. So I guess it worked out. But this person also doesn't have any public facing
pages as well. But I can see why they wanted it. Now, I will bet that Facebook asked these scammers
for the ID, and the scammers just turned around and asked Deanna for her ID, so then they could
present it and look like Deanna to Facebook. Once they got control of the page, they deleted
all of her posts that were on that page. They completely cleared out the history,
and they turned it into a hair care product, and they limited the audience to only people in Vietnam and Cambodia, which is interesting because now her 10,000 or 11,000 followers in the U.S. can't see her page anymore.
So why would they do this?
Then they start selling hair care products? Well, my guess is that they wanted to take over a page that had a lot of
followers so that when they limited the access, the global access to these two countries,
people in those countries would see, hey, this page already has a lot of followers. It must be legit.
Right. Lots of people like these hair care products. They must be good.
Exactly. And one of Deanna's biggest gripes here, and it's a legitimate gripe,
good. Exactly. And one of Deanna's biggest gripes here, and it's a legitimate gripe,
is that these people then proceeded to buy advertising to promote this page. And Facebook took advertising dollars from these scammers to promote this page to almost half a million viewers.
And she has a legitimate gripe here. Fortunately, she has taken care of the access to the page and
has regained access to it. And I hope that she has taken care of the access to the page and has regained
access to it. And I hope that she has enacted two-factor authentication. Facebook offers three
ways you can do multi-factor authentication. They'll send you a text message with a code.
They'll give you a software token that you can use like Google Authenticator with. Or you can
actually use something like a YubiKey, use a hardware token. And that's how I
have my account secured. If you don't want to make the expense of buying a YubiKey, Google
Authenticator, I think, is fine. It's pretty good. Any of the authentication apps are all pretty much
the same inner workings. The only risk is that at some point in time, you have to expose your seed
on a web page. And as long as nobody's taking screenshots of your machine
while that's happening, you're going to be fine.
But if somebody is taking screenshots of your machine,
if there is somebody malicious on the inside
and they have that kind of control,
then they're going to have access to all your multi-factor authentication.
But that's kind of low risk.
Yeah.
Yeah.
Well, so the good news is she got control back.
Right.
But it's an interesting case here,
and I guess a reminder that anything that is of value,
you should have multi-factor set up for.
Absolutely.
Absolutely.
It's unfortunate, especially since they deleted all of her content.
She was using a lot of the content for writing books,
and Facebook says they can't restore it for her, which I think is unfortunate. Yeah. As hard as it is to delete a Facebook page or a
Facebook account, you know, like really, it's hard to believe that anything's gone forever.
Yeah. I don't think that information is gone. I don't think those posts don't exist anymore. I
just think the visibility is set to false and that Facebook just doesn't want to take the time to go back through and do that for
Deanna. And I understand why they don't want to do that because if they do that, they may think
they have to do it for everybody, but they really don't. They can be selective. This is a case here
where I think it would be good for them. I mean, she's got a pretty
big following. She's a pretty well-established and prestigious journalist. And I don't think
she's going to stop talking about this. It may be in Facebook's interest to go ahead and help her
out here. All right. Interesting story for sure. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time, keep you informed,
and it's faster than a speeding bullet. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.